Ready or Not EMV is coming October 2015

As card issuers take steps to prevent in-person fraud, many criminals will likely move online. E-Commerce Merchants need to prepare!

By Zak Stambor Managing Editor

The U.S. payments card industry is in the midst of a monumental technological shift. When many issuers this year begin distributing chip-based payment cards that create a dynamic code unique to each transaction en masse, the United States will be the last large nation to make the transition.

The new cards are arriving thanks to Visa and MasterCard rule changes; come October, any fraud resulting from a payment transaction at many types of merchants will shift to the party-either the merchant or the card issuer-using the least secure technology, which means a lot of merchants are in the midst of overhauling their store payment systems to accept chip cards.

The good news is that the chip-based cards, which are often referred to as EMV (short for Europay, MasterCard and Visa, which collaborated to develop the technology), should make it harder for criminals to use fraudulent cards in stores. After all, that’s the goal, and the technology has reduced card-present fraud in all the 80-some countries ranging from the United Kingdom to Brazil that have madethe transition to chip-based cards over the past 10 years. But there’s also some bad news; nearly all of the countries that have already made the transition have seen their card-not-present fraud rates rise.
Just look at Canada, where a nationwide rollout of chip-based cards commenced in 2008. The transition helped card fraud costs at physical stores fall roughly 55% from C$245.4 million ($195.1 million) to C$111.5 million ($88.7 million) in 2013, according to Canada Bankers Association data. But card fraud didn’t disappear; it migrated online, as domestic card-not-present fraud costs grew 133% from C$128.4 million ($102.1 million) in 2008 to C$299.4 million ($238.4 million) in 2013. While card-not-present transactions include more than e-retail transactions, Canadian e-commerce during the same period grew only by about 40%, according to eMarketer Inc. data.

The criminals found the path of least resistance. Once a barrier emerged in physical stores, criminals found it was easier to use fraudulent cards to buy items online. That shift wasn’t unique to Canada, it has been the case everywhere that’s made the transition, says Julie Conroy, research director for research and advisory firm Aite Group LLC’s retail banking practice. The United States isn’t likely to be any different. “Criminals are very good at finding the weakest link and once EMV is in place, that weakest link will be online,” she says.

She’s hardly alone in her prediction. Numerous experts, including Perry Kramer, vice president of retail technology consulting firm Boston Retail Partners, agree. “The big fallacy about EMV is that it will improve security,” he says. “It really doesn’t. It just means fraud takes place somewhere else.”

There’s little question that chip-based cards will cause card-not-present fraud rates to rise-CyberSource Inc. says the current U.S. e-commerce fraud rate is 0.9%-the unknown is when. That’s because many payments experts expect the shift to chip-based cards to be rocky; only 59% of U.S. point-of-sale locations will be chip-capable by the end of the year, according to a February Aite Group report.

But even if it takes a while for the remaining 41% of stores to have chip-capable systems in place, the transition is coming. To prepare, online retailers can learn from the experiences abroad. Those lessons are leading online retail executives like Dave Klein, owner of motorcycle gear and accessories multichannel retailer MxMegastore, to focus on the difficult task of securing their sites against fraudulent cards while, at the same time, making sure they don’t put too many barriers in place that lead shoppers to abandon their carts. “It’s a balancing act,” Klein says.

Chip-based cards should help address card-present fraud in the United States, which is a big problem for retailers with physical stores; card-present fraud losses grew more than 31% from $2.463 billion in 2011 to $3.235 billion in 2013, according to a 2014 Aite Group report. Aite Group predicts that the shift to chip-based cards will help card-present fraud to dip roughly 12% from this year to next and will fall to $2.736 billion by 2018, the lowest dollar amount since 2012.

But if the U.S. market experiences a similar pattern to the U.K. market in making the transition, card-not-present losses will soon climb. U.K. card-not-present fraud costs jumped 79% between 2005-when it shifted fraud liability to the party using the least secure technology-and 2008, when fraud peaked. Aite Group similarly expects U.S. card-not-present fraud costs, which grew more than 33% between 2011 and 2013, to continue to rise. By 2018, it expects card-not-present fraud losses will reach $6.4 billion, more than three times the $2.1 billion in losses reported in 2011. That’s far greater than 126.7% growth rate between 2011 U.S. Commerce Department-reported e-commerce sales, which totaled $194.3 billion, and research firm eMarketer Inc.’s 2018 forecast of $440.4 billion.

“There’s going to be nowhere else for fraudsters to go but online,” says Sean Curran, a director in consultancy West Monroe Partners’ Technology Infrastructure & Operations practice. “That’s where they’ll go. Online retailers have to be ready.”

Technology can help online merchants fight back. U.K. card-not-present fraud losses started to dip in 2009, because more merchants and issuers began using sophisticated tools that let merchants determine a shopper’s true identity, Aite’s Conroy says. Retailers like Klein hope that those types of technologies-he uses tools from Eye4Fraud-will help him avoid some of the mistakes U.K. e-retailers initially made.

MxMegastore put Eye4Fraudâ€™s technology in place last June after being hit hard by online fraud in December 2013 when the retailer had about two dozen incidents that a month later resulted in chargebacks. The criminals had bought a number of pieces of casual apparel and they entered shipping and billing addresses that matched. Klein didn’t suspect anything until he was hit with the chargebacks.